Compared to MS Threat Management Gateway 2010, analyzing log files on UTM is a chore. TMG had several advantages:
- Unified firewall, waf and proxy logs.
- Logs were store in a single file or an internal/external SQL database
- The interface for analyzing log data was capable of easily creating very complex queries with point and click.
- Logging was on by default.
- Data was broken into columns automatically, did not require parsing a very long text string.
- Easily exported to Excel for further analysis
I would like to see some of this implemented in UTM. Viewing text files on the Sophos is tedious and quite often results in non-responsive browser sessions.
- A way to parse live logs with more that just one text field.
- The ability to turn on all firewall logging without having to go through each rule. To see which rule is allowing traffic.
- Better log parsing performance when there is a large amount of traffic.